Microsoft Edge vulnerability exposed as Microsoft misses Google's Project Zero disclosure deadline
Google has revealed details of a security vulnerability in Microsoft Edge before a patch has been produced. Through Project Zero, Google notified Microsoft about a bug in the browser's Arbitrary Code Guard (ACG) feature back in November, giving the company the usual 90-day disclosure deadline.
Google went further, granting Microsoft a further grace period of two weeks on request, but the vulnerability remains unfixed in Windows 10. As such, details of the "ACG bypass using UnmapViewOfFile" bug have now been made public.
See also:
- Microsoft gives sysadmins Meltdown and Spectre detection in Windows Analytics
- Microsoft to bring Windows Defender Advanced Threat Protection to Windows 7 and 8.1
- Microsoft's aggressive Get Windows 10 (GWX) app slapped by Finnish authorities
The problem -- which Microsoft is expected to fix in next month's Patch Tuesday -- has been classified has being of Medium severity, and relates to the JIT (Just In Time) compiler for Javascript. Given Edge's small market share, the security issue -- which could allow for a browser compromise by predicting the address of processes that are to be called -- is unlikely to affect too many people, but it's embarrassing for Microsoft nevertheless.
The entry for the vulnerability on Project Zero explains the potential problem:
If a content process is compromised and the content process can predict on which address JIT process is going to call VirtualAllocEx() next (note: it is fairly predictable), content process can:
- Unmap the shared memory mapped above above using UnmapViewOfFile()
- Allocate a writable memory region on the same address JIT server is going to write and write an soon-to-be-executable payload there.
- When JIT process calls VirtualAllocEx(), even though the memory is already allocated, the call is going to succeed and the memory protection is going to be set to PAGE_EXECUTE_READ.
Google granted Microsoft a 14-day extension to the usual 90-day disclosure period after the company complained that the problem was more complex, and therefore more difficult to fix, than first thought. Having missed the second deadline, the information is now out there for everyone to see.
Photo credit: T.Dallas / Shutterstock